Security patch Update | Breaking Cybersecurity News | The Hacker News

If you own a Mac laptop or desktop, you need to update your system right now. It turns out that the critical zero-day security vulnerabilities disclosed last week, which targeted iPhone and iPad users, affect Mac users as well. Late last week, Apple rolled out iOS 9.3.5 update to patch a total of three zero-day vulnerabilities that hackers could have used to remotely gain control of an iPhone by simply making the victim click a link. Dubbed "Trident," the security holes were used to create spyware (surveillance malware) called ' Pegasus ' that was apparently used to target human rights activist Ahmed Mansoor in the United Arab Emirates. Pegasus could allow an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user's location, microphone. Pegasus Spyware could even allow an attacker to fully download victim's passwords and steal the stored list of WiFi networks,

In Brief Microsoft's August Patch Tuesday offers nine security bulletins with five rated critical, resolving 34 security vulnerabilities in Internet Explorer (IE), Edge, and Office, as well as some serious high-profile security issues with Windows. A security bulletin, MS16-102 , patches a single vulnerability (CVE-2016-3319) that could allow an attacker to control your computer just by getting you to view specially-crafted PDF content in your web browser. Users of Microsoft Edge on Windows 10 systems are at a significant risk for remote code execution (RCE) attacks through a malicious PDF file. Web Page with PDF Can Hack Your Windows Computer Since Edge automatically renders PDF content when the browser is set as a default browser, this vulnerability only affects Windows 10 users with Microsoft Edge set as the default browser, as the exploit would execute by simply by viewing a PDF online. Web browsers for all other affected operating systems do not automatically

Super Low RPO with Continuous Data Protection: Dial Back to Just Seconds Before an Attack Zerto , a Hewlett Packard Enterprise company, can help you detect and recover from ransomware in near real-time. This solution leverages continuous data protection (CDP) to ensure all workloads have the lowest recovery point objective (RPO) possible. The most valuable thing about CDP is that it does not use snapshots, agents, or any other periodic data protection methodology. Zerto has no impact on production workloads and can achieve RPOs in the region of 5-15 seconds across thousands of virtual machines simultaneously. For example, the environment in the image below has nearly 1,000 VMs being protected with an average RPO of just six seconds! Application-Centric Protection: Group Your VMs to Gain Application-Level Control   You can protect your VMs with the Zerto application-centric approach using Virtual Protection Groups (VPGs). This logical grouping of VMs ensures that your whole applica

Just yesterday, I wrote a warning article announcing that Drupal – the popular open source content management system – will release patches for several highly critical Remote Code Execution (RCE) bugs that could allow attackers to fully take over any affected site. Below are the three separate Drupal modules that affect up to 10,000 websites: 1. RESTful Web Services – a popular module used for creating REST APIs, which is currently installed on at least 5,804 websites. The vulnerability in RESTWS alters the default page callbacks for entities to provide additional functionality, allowing attackers to "send specially crafted requests resulting in arbitrary PHP execution." Since anonymous users can exploit this vulnerability and there isn't any mitigating factor, users are advised to patch their websites as soon as possible. Admins using RESTful Web Services versions 7.x-2.x prior to 7.x-2.6 and versions 7.x-1.x prior to 7.x-1.7 for their Drupal websites are

The extraordinary ' Panama Papers leak ' from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world's richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular content management systems: Drupal and WordPress. Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was due to vulnerabilities in Drupal and WordPress that allowed hackers to get into the law firm's system and stole over 11.5 Million files (around 2.6 Terabytes of data). The Drupal Security Team has announced that critical patches to address several security issues in Drupal contributed modules, including several highly critical Remote Code Execution (RCE) vulnerabilities, will be released today at 16:00 UTC. According to an advisory, the critical arbitrary remote PHP code execution vulnerability ( PSA-2016-001 ) affects up to 10000 Drupal websites. However, "Drupal c

Microsoft's July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software. The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism. The "critical" flaw ( CVE-2016-3238 ) actually resides in the way Windows handles printer driver installations as well as the way end users connect to printers. The flaw could allow an attacker to install malware remotely on victim machine that can be used to view, modify or delete data, or create new accounts with full user rights; Microsoft said in MS16-087 bulletin posted Tuesday. Users who are logged in with fewer user rights on the system are less impacted than users who operate with administrative user rights, such as some home accounts and server users. Microsoft said the critical flaw could

Microsoft has released 13 security bulletins, six of which are considered to be critical, resolving a total of 41 security vulnerabilities in its software this month. Every Windows version Affected: One of the critical vulnerabilities affects all supported version of Windows , including Microsoft's newest Windows 10 operating system, as well as Windows Server 2016 Tech Preview 4. The memory-corruption flaw ( MS16-013 ) could allow a remote attacker to execute arbitrary code as the logged-in user by tricking a user into opening a specially crafted Journal file. This vulnerability would let the attacker run malicious programs on victim's machine, even delete data and create new accounts with full user rights. Administrator accounts are at the greatest risk than users with a fewer user rights account on the system. However, the good news is the vulnerability has not been spotted in the wild. List of All Critical Vulnerabilities Other Critical Secur

The US-based software maker Oracle delivered an unusual out-of-box emergency patch for Java in an effort to fix a during-installation flaw on the Windows platforms. The successful exploitation of the critical vulnerability, assigned CVE-2016-0603 , could allow an attacker to trick an unsuspecting user into visiting a malicious website and downloading files to the victim's system before installing Java 6, 7 or 8. Although the vulnerability is considered relatively complex to exploit, a successful attack results in " complete compromise " of the target's machine. What You Need to Know About the Java Exploit The successful attack requires an attacker to trick a suitably unskilled user for opening a Java release even though the user is nowhere near the Java Website. Since the existence of the loophole is only during the installation process, users are not required to upgrade their existing Java installations in order to address the vulnerability.

Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system. In total, there were five "critical" security vulnerabilities fixed in the release along with four "high" severity and one merely "moderate" issues. Remote Code Execution Flaw in WiFi A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker. The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level. "These vulnerabilities can be triggered when the attacker and the victim are associated with the same network," read

If you are using Magento to run your e-commerce website, it's time for you to update the CMS ( content management system ) now. Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay. Why the Bugs are So Serious? Virtually all versions of Magento Community Edition 1.9.2.2 and earlier as well as Enterprise Edition 1.14.2.2 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws. The stored XSS flaws are awful as they allow attackers to: Effectively take over a Magento-based online store Escalate user privileges Siphon customers' data Steal credit card information Control the website via administrator accounts However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the v

Yes, from today, Microsoft is ending the support for versions 8, 9 and 10 of its home-built browser Internet Explorer, thereby encouraging Windows users to switch on to Internet Explorer version 11 or its newest Edge browser . Microsoft is going to release one last patch update for IE8, IE9 and IE10 today, but this time along with an " End of Life " notice, meaning Microsoft will no longer support the older versions. So, if you want to receive continuous updates for your web browser and avoid being exposed to potential security risks after 12 January, you are advised to upgrade your browser to Internet Explorer 11, or its new Edge browser. End of Life of Internet Explorer 8, 9 and 10  "Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10," Microsoft says . This move could be part of Microsoft's bigger

The Adobe Flash Player just said goodbye to the year with another bunch of vulnerability patches. Adobe released an out-of-band security update on Monday to address Nineteen ( 19 ) vulnerabilities in its Flash Player, including one ( CVE-2015-8651 ) that is being exploited in the wild. All the programming loopholes could be abused to execute malicious code (here malicious Flash file on a web page) on victims' computers in order to hijack an unpatched PC or Mac entirely. So, if you are running the Flash Player plugin on Windows, Mac OS X, Linux, or Chrome OS, it is time for you to upgrade your system as soon as possible before criminals start taking advantage of the bugs. Here're the details of the Flash's 19 security vulnerabilities patched in the emergency APSB16-01 update posted Monday afternoon: A Type Confusion Vulnerability that could lead to arbitrary code execution ( CVE-2015-8644 ) An Integer Overflow Vulnerability that also leads to code e

Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack. And for this reason, Oracle is now paying the price. Oracle has been accused by the US government of misleading consumers about the security of its Java software. Oracle is settling with the Federal Trade Commission (FTC) over charges that it " deceived " its customers by failing to warn them about the security upgrades. Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing. Oracle Left Over 850 Million PCs at Risk The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs u

Microsoft has rolled out six security updates this Patch Tuesday , out of which three are considered to be " critical, " while the rest are marked as " important. " Bulletin MS15-106 is considered to be critical for Internet Explorer (IE) and affects absolutely all versions of Windows operating system. The update addresses a flaw in the way IE handles objects in memory. The flaw could be exploited to gain access to an affected system, allowing hackers to gain the same access rights as the logged-in user. A hacker could " take advantage of compromised websites, and websites that accept or host user-provided content or advertisements ," the advisory states. " These websites could contain specially crafted content that could exploit the vulnerabilities. " Therefore, the dependency here is that an IE user must knowingly click on the malicious link, which then be leveraged by an attacker to get the full control over a computer t

Google reportedly fixed the latest round of Stagefright vulnerabilities in Android, pushing its latest over-the-air (OTA) update to Nexus devices. Last week, researchers warned of Stagefright 2.0 vulnerability that affected more than one Billion Android devices dating back to the latest versions of the Android operating system. The Stagefright bugs allowed hackers to take control of affected Android devices by sending a malicious audio or video file. In April, Zimperium researchers disclosed the first Stagefright vulnerability that allowed hackers to hijack any Android smartphones with just a simple text message ( exploit code ). As promised, Google on Monday pushed a patch that fixes the holes in Stagefright media playback engine used by Android to process, record and play multimedia files such as PDFs. The patch fixes 30 vulnerabilities in total, which includes: 14 critical vulnerabilities in Stagefright library 5 Remote Code Execution bugs 8 Eleva

Apple has rolled out the second minor iteration of its newest mobile operating system iOS 9, which fixes the iOS lockscreen vulnerability . The widely publicized LockScreen bug allowed anyone with physical access to your iOS device running iOS 9.0 or  iOS 9.0.1 to access all the contacts and photos without unlocking the device. Just one week after the last update iOS 9.0.1, Apple rolled out iOS 9.0.2 update that fixes: iMessage activation problems An issue with mobile data settings An issue with iCloud Backup An issue where the screen incorrectly rotates when receiving notifications Improves the stability of Podcasts According to an update on Apple's support website, the iOS lockscreen issue was the only security bug fixed in the latest iOS 9.0.2 release. Last week, iPhone user Jose Rodriguez published a " dead simple " method to bypass lock screen of the devices running iOS 9 and iOS 9.0.1. Using the benevolent nature of Apple's

With the release of 12 Security Bulletins , Microsoft addresses a total of 56 vulnerabilities in its different products. The bulletins include five critical updates, out of which two address vulnerabilities in all versions of Windows. The September Patch Tuesday update (released on second Tuesday of each month) makes a total of 105 Security Bulletins being released this year; which is more than the previous year with still three months remaining for the current year to end. The reason for the increase in the total number of security bulletins within such less time might be because of Windows 10 release and its installation reaching to a score of 100 million. Starting from MS15-094 to   MS15-105 ( 12 security bulletins ) Microsoft rates the severity of the vulnerabilities and their impact on the affected software. Bulletins MS15-094 and MS15-095 are the cumulative updates, meaning these are product-specific fixes for security related vulnerabilities that are rated

Wanna hack someone's Android smartphone by sending just an MMS message? Yes, you can, because Google's patch for the Stagefright vulnerability in hundreds of Millions of Android devices is BUGGY. Last week, Google issued an official patch for Stagefright vulnerability that affects 95 percent of Android devices running version 2.2 to version 5.1 of the operating system, an estimated 950 Million Android devices in use worldwide. But, the patch is so flawed that hackers can still exploit the Stagefright vulnerability (CVE-2015-3824) anyways. "The [original] patch is four lines of code and was (presumably) reviewed by Google engineers prior to shipping," researchers at Exodus Intelligence wrote in a blog post published Thursday. "The public at large believes the current patch protects them when it, in fact, does not." Buggy Patch Issued by Google The patch doesn't fix the vulnerability, allowing booby-trapped MP4 videos that supplied

Updated your PCs to Windows 10 ? Now it's time to patch your Windows 10 software. Microsoft has issued its monthly Patch Tuesday by releasing 14 security bulletins , nearly half of it address vulnerabilities in its latest operating system, Windows 10. Four of them are marked critical, affecting Windows, .Net Framework, Microsoft Office, Microsoft Lync, Internet Explorer, Microsoft Silverlight and Edge Browser . Yes, the critical update includes even Edge browser – Microsoft's newest and supposedly super-secure web browser. Windows users are advised to patch their system as soon as possible because the security flaws can be remotely exploited to execute malicious code on vulnerable systems, allowing hackers to install malware and take full control of systems. Most Critical Security Updates: MS15-079 – The critical update fixes a total of 10 privately disclosed flaws in Internet Explorer. Most of these flaws allow a hacker to execute malicious code on v

Apple has released updates to patch dozens of security vulnerabilities in iOS and OS X Yosemite operating system. The updates include iOS 8.4 version of the mobile operating system, OS X Yosemite 10.10.4 and Security Update 2015-005. iOS 8.4 Update The iOS 8.4  update includes patches for over 20 security vulnerabilities that could lead to remote code execution (RCE) , application termination, the intercepted encrypted traffic, man-in-the-middle attacks and other problem. Certificate trust policy issues, buffer overflow vulnerabilities, apache compatibility issues, memory corruption flaws, and a host of WebKit, kernel, and CoreText vulnerabilities were also patched in the latest iOS update. OS X Yosemite 10.10.4 update The OS X Yosemite 10.10.4 update includes patches for QuickTime, ImageIO, and OpenSSL along with Remote Code Execution (RCE) flaws and other issues that may allow attackers to gain elevated privileges or crash applications. The Safari 8.

This week you have quite a long list of updates to follow from Microsoft, Adobe as well as Firefox. Despite announcing plans to kill its monthly patch notification for Windows 10, the tech giant has issued its May 2015 Patch Tuesday , releasing 13 security bulletins that addresses a total of 48 security vulnerabilities in many of their products. Separately, Adobe has also pushed a massive security update to fix a total of 52 vulnerabilities in its Flash Player, Reader, AIR and Acrobat software. Moreover, Mozilla has fixed 13 security flaws in its latest stable release of Firefox web browser, Firefox 38, including five critical flaws. First from the Microsoft's side: MICROSOFT PATCH TUESDAY Three out of 13 security bulletins issued by the company are rated as 'critical', while the rest are 'important' in severity, with none of these vulnerabilities are actively exploited at this time. The affected products include Internet Explorer (IE),